Export limit exceeded: 344621 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (344621 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-23659 | 1 Microsoft | 1 Azure Data Factory | 2026-04-14 | 8.6 High |
| Exposure of sensitive information to an unauthorized actor in Azure Data Factory allows an unauthorized attacker to disclose information over a network. | ||||
| CVE-2026-34478 | 1 Apache | 1 Log4j | 2026-04-14 | 5.8 Medium |
| Apache Log4j Core's Rfc5424Layout https://logging.apache.org/log4j/2.x/manual/layouts.html#RFC5424Layout , in versions 2.21.0 through 2.25.3, is vulnerable to log injection via CRLF sequences due to undocumented renames of security-relevant configuration attributes. Two distinct issues affect users of stream-based syslog services who configure Rfc5424Layout directly: * The newLineEscape attribute was silently renamed, causing newline escaping to stop working for users of TCP framing (RFC 6587), exposing them to CRLF injection in log output. * The useTlsMessageFormat attribute was silently renamed, causing users of TLS framing (RFC 5425) to be silently downgraded to unframed TCP (RFC 6587), without newline escaping. Users of the SyslogAppender are not affected, as its configuration attributes were not modified. Users are advised to upgrade to Apache Log4j Core 2.25.4, which corrects this issue. | ||||
| CVE-2026-26120 | 1 Microsoft | 1 Bing | 2026-04-14 | 6.5 Medium |
| Server-side request forgery (ssrf) in Microsoft Bing allows an unauthorized attacker to perform tampering over a network. | ||||
| CVE-2026-23658 | 1 Microsoft | 2 Azure Devops, Azure Devops Msazure | 2026-04-14 | 8.6 High |
| Insufficiently protected credentials in Azure DevOps allows an unauthorized attacker to elevate privileges over a network. | ||||
| CVE-2026-34479 | 1 Apache | 2 Log4j, Log4j 1 2 Api | 2026-04-14 | 5.3 Medium |
| The Log4j1XmlLayout from the Apache Log4j 1-to-Log4j 2 bridge fails to escape characters forbidden by the XML 1.0 standard, producing malformed XML output. Conforming XML parsers are required to reject documents containing such characters with a fatal error, which may cause downstream log processing systems to drop or fail to index affected records. Two groups of users are affected: * Those using Log4j1XmlLayout directly in a Log4j Core 2 configuration file. * Those using the Log4j 1 configuration compatibility layer with org.apache.log4j.xml.XMLLayout specified as the layout class. Users are advised to upgrade to Apache Log4j 1-to-Log4j 2 bridge version 2.25.4, which corrects this issue. Note: The Apache Log4j 1-to-Log4j 2 bridge is deprecated and will not be present in Log4j 3. Users are encouraged to consult the Log4j 1 to Log4j 2 migration guide https://logging.apache.org/log4j/2.x/migrate-from-log4j1.html , and specifically the section on eliminating reliance on the bridge. | ||||
| CVE-2026-32191 | 1 Microsoft | 1 Bing Images | 2026-04-14 | 9.8 Critical |
| Improper neutralization of special elements used in an os command ('os command injection') in Microsoft Bing Images allows an unauthorized attacker to execute code over a network. | ||||
| CVE-2026-34480 | 1 Apache | 1 Log4j | 2026-04-14 | 5.3 Medium |
| Apache Log4j Core's XmlLayout https://logging.apache.org/log4j/2.x/manual/layouts.html#XmlLayout , in versions up to and including 2.25.3, fails to sanitize characters forbidden by the XML 1.0 specification https://www.w3.org/TR/xml/#charsets producing invalid XML output whenever a log message or MDC value contains such characters. The impact depends on the StAX implementation in use: * JRE built-in StAX: Forbidden characters are silently written to the output, producing malformed XML. Conforming parsers must reject such documents with a fatal error, which may cause downstream log-processing systems to drop the affected records. * Alternative StAX implementations (e.g., Woodstox https://github.com/FasterXML/woodstox , a transitive dependency of the Jackson XML Dataformat module): An exception is thrown during the logging call, and the log event is never delivered to its intended appender, only to Log4j's internal status logger. Users are advised to upgrade to Apache Log4j Core 2.25.4, which corrects this issue by sanitizing forbidden characters before XML output. | ||||
| CVE-2026-26138 | 1 Microsoft | 2 Office Purview, Purview | 2026-04-14 | 8.6 High |
| Server-side request forgery (ssrf) in Microsoft Purview allows an unauthorized attacker to elevate privileges over a network. | ||||
| CVE-2026-26139 | 1 Microsoft | 2 Office Purview, Purview | 2026-04-14 | 8.6 High |
| Server-side request forgery (ssrf) in Microsoft Purview allows an unauthorized attacker to elevate privileges over a network. | ||||
| CVE-2026-34481 | 1 Apache | 2 Log4j, Log4j Layout Template Json | 2026-04-14 | 5.3 Medium |
| Apache Log4j's JsonTemplateLayout https://logging.apache.org/log4j/2.x/manual/json-template-layout.html , in versions up to and including 2.25.3, produces invalid JSON output when log events contain non-finite floating-point values (NaN, Infinity, or -Infinity), which are prohibited by RFC 8259. This may cause downstream log processing systems to reject or fail to index affected records. An attacker can exploit this issue only if both of the following conditions are met: * The application uses JsonTemplateLayout. * The application logs a MapMessage containing an attacker-controlled floating-point value. Users are advised to upgrade to Apache Log4j JSON Template Layout 2.25.4, which corrects this issue. | ||||
| CVE-2026-26148 | 1 Microsoft | 1 Azure Ad Ssh Login Extension For Linux | 2026-04-14 | 8.1 High |
| External initialization of trusted variables or data stores in Azure Entra ID allows an unauthorized attacker to elevate privileges locally. | ||||
| CVE-2026-40023 | 1 Apache | 1 Log4cxx | 2026-04-14 | 5.3 Medium |
| Apache Log4cxx's XMLLayout https://logging.apache.org/log4cxx/1.7.0/classlog4cxx_1_1xml_1_1XMLLayout.html , in versions before 1.7.0, fails to sanitize characters forbidden by the XML 1.0 specification https://www.w3.org/TR/xml/#charsets in log messages, NDC, and MDC property keys and values, producing invalid XML output. Conforming XML parsers must reject such documents with a fatal error, which may cause downstream log processing systems to drop or fail to index affected records. An attacker who can influence logged data can exploit this to suppress individual log records, impairing audit trails and detection of malicious activity. Users are advised to upgrade to Apache Log4cxx 1.7.0, which fixes this issue. | ||||
| CVE-2026-26122 | 1 Microsoft | 2 Aci Confidential Containers, Microsoft Aci Confidential Containers | 2026-04-14 | 6.5 Medium |
| Initialization of a resource with an insecure default in Azure Compute Gallery allows an authorized attacker to disclose information over a network. | ||||
| CVE-2026-1502 | 1 Python | 1 Cpython | 2026-04-14 | 4.5 Medium |
| CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host. | ||||
| CVE-2026-26125 | 1 Microsoft | 1 Payment Orchestrator Service | 2026-04-14 | 8.6 High |
| Payment Orchestrator Service Elevation of Privilege Vulnerability | ||||
| CVE-2026-26124 | 1 Microsoft | 3 Aci Confidential Containers, Confidental Containers, Microsoft Aci Confidential Containers | 2026-04-14 | 6.7 Medium |
| '.../...//' in Azure Compute Gallery allows an authorized attacker to elevate privileges locally. | ||||
| CVE-2026-3446 | 1 Python | 1 Cpython | 2026-04-14 | 5.3 Medium |
| When calling base64.b64decode() or related functions the decoding process would stop after encountering the first padded quad regardless of whether there was more information to be processed. This can lead to data being accepted which may be processed differently by other implementations. Use "validate=True" to enable stricter processing of base64 data. | ||||
| CVE-2026-21536 | 1 Microsoft | 1 Devices Pricing Program | 2026-04-14 | 9.8 Critical |
| Microsoft Devices Pricing Program Remote Code Execution Vulnerability | ||||
| CVE-2026-23651 | 1 Microsoft | 2 Aci Confidential Containers, Microsoft Aci Confidential Containers | 2026-04-14 | 6.7 Medium |
| Permissive regular expression in Azure Compute Gallery allows an authorized attacker to elevate privileges locally. | ||||
| CVE-2026-40175 | 1 Axios | 1 Axios | 2026-04-14 | 10 Critical |
| Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0 and 0.3.1, the Axios library is vulnerable to a specific "Gadget" attack chain that allows Prototype Pollution in any third-party dependency to be escalated into Remote Code Execution (RCE) or Full Cloud Compromise (via AWS IMDSv2 bypass). This vulnerability is fixed in 1.15.0 and 0.3.1. | ||||